supernav-iconAccess + Control | GRC Evolves at Drataverse Digital
Contact Sales
HomeGeneral Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

Last update: May 18, 2023


At Drata, the privacy and security of your data is our top priority. GDPR applies not only to EU-based businesses, but also to any business that controls or processes data of EU citizens. At Drata, our entire organization is hard at work ensuring that our own practices are GDPR-compliant. But equally important to us is helping you, our partners and customers, understand what the GDPR means for your businesses and build compliant processes of your own.


SECTION

STATUS

EXPLANATION

Individual in charge of GDPR

Currently Available

Matt Hillary, CISO

Data Protection Officer

Currently Available

Matt Hillary, CISO

Purpose of Processing

Currently Available

Continuous monitoring and evidence collection of security controls mapped to various compliance frameworks to streamline audit preparation and to efficiently remediate security and compliance gaps. For more details, see Drata’s Privacy Policy – How We Use Your Personal Information (https://drata.com/privacy).

Lawful Basis of Processing and Consent

Currently Available

Under Article 6 of GDPR (https://gdpr-info.eu/art-6-gdpr), it falls under:

Consent: Via SAS Agreement and Opt-in of Terms and Conditions. Removal of consent will be done on request or via the drata Web App.

Contract: Via contracts with clients which give Drata permission to manage their Data for the purpose of helping them achieve Data Privacy and Security Compliance.

Legitimate Interest: It is in the legitimate interest of clients to share their data with Drata for the purpose of helping them achieve Data Privacy and Security Compliance.

For more information, see the Drata Privacy Policy (https://drata.com/privacy) – “GDPR Notice” section

Withdrawal of consent (or opt out)

Currently Available

For Users, withdrawal of consent or opting out after initial consent/opt-in will be able available via the webapp (https://app.drata.com). For Visitors, opting out can be done by emailing [email protected].

Cookie Policy

Currently Available

Cookie Policy

Deletion Policy

Currently Available

Deletion of data for clients is available when terminating a contract. Data Deletion on the website (drata.com) for visitors can be done by contacting [email protected]

Data Access / Modification / Portability

Currently Available

Users can Access, Modify and Download their data directly from the Web App. Visitors can request a copy or update of their data by emailing [email protected].

Data Protection Info

Currently Available

Drata deploys and maintains a single tenant Database architecture, alongside best industry practices in security attested to in a SOC 2 Type 2 report covering security, confidentiality, availability, and processing integrity.

Notification of Data Breach

Currently Available

Drata’s data breach notification process is outlined within its Incident Response Policy, and made available upon request.

Drata is a security and compliance automation platform that continuously monitors and collects evidence of a company’s security controls, while streamlining workflows to ensure audit-readiness.

Solutions

StartupScaleEnhanceDrata PlatformIntegrations
Frameworks
Cyber EssentialsSOC 2ISO 27001HIPAAGDPRCustom FrameworksAll Frameworks
Resources
BlogEventsWebinarsReportsCompliance GlossaryCommunityAPI Documentation
Company
Careers
HIRING
CustomersAuditorsPartnersPressContact Us
Trust
Security and ComplianceTrust CenterSystem Status
Become a Trusted Newsletter Insider

The latest security and compliance news, delivered.

© 2023 Drata Inc. All rights reserved.

Privacy PolicyGDPRTermsCookiesDisclosure PolicySub-processorsData Processing Addendum